IN THE CLAIMS : 

Please amend claims 1, 2, 5, 6, 7, 12, 13, 15, 18, 19, and 20 as follows. 

1. (Currently Amended) A system for providing secure mobile connectivity that 
implements Mobile IP Home Agent functionality via distributed components, comprising: 

a mobile node belonging to a home network located within a secure network, the mobile 
node having a network interface configured to communicate with other nodes, the mobile node 
having only one security association and only one mobility binding with a Hom e Agent home 
agent (HA) for the Mobil e m obile IP Hom e Ag e n th ome agent functionality; 

a Proxy Hom e Agen t proxv home agent (PHA) connected to the home network and 
located within the secure network, wherein the PHA is configured to provide a proxying 
functionality^t 

the HA located outside of the secure network, wherein the HA is configured to provide a 
signaling and tunneling functionality and to notify the PHA of the mobile node; and 

a virtual private network (V PN) gateway located outside the secure network and 
configured to work in conjunction with the HA. 

2. (Currently Amended) The system of Claim 1, wherein the VPN gateway and the 
HA are located within a single device within a demilitarized zone (D MZ). 

3. (Original) The system of Claim 1, further comprising a firewall coupled to the 
secure network and the VPN gateway; wherein the HA is located within the firewall. 
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4. (Original) The system of Claim 1, wherein the HA is a separate device from the 
VPN gateway. 

5. (Currently Amended) The system according to claim 1, further comprising: 

a demilitarised zone {DMZ} located outside the secure network, wherein the VPN 
gateway and the HA reside in the DMZ; a first firewall between the secure network and the 
DMZ; a second firewall between the DMZ and an extemal network configured to deny 
communications fi-om the extemal network with a source address in the known range; and 
wherein the mobile node has a permanent address in a known range, 

6. (Currently Amended) The system according to claim 1, fiirther comprising: 

a demilitarised zone {DMZ} located outside the secure network, wherein the VPN 
gateway and the home agent reside in the DMZ; a first firewall between the secure network and 
the DMZ; wherein the mobile node has a permanent address in a known range and the first 
firewall is programmed to deny all communications fi-om the DMZ with a source address in the 
known range; and wherein the VPN gateway has a direct connection to an internal interface of 
the first firewall such that the first firewall considers the VPN gateway transmitted data as 
internal to the secure network. 

7. (Currently Amended) The system of Claim 1, fiirther comprising a demilitarised 
zone (DMZ) comprising a first router coupled to a second router that is coupled to a firewall, the 
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VPN gateway coupled to the first router and the firewall; the HA coupled to the first router. 

8. (Previously Presented) The system of Claim 7, wherein packets from the mobile 
node destined toward nodes inside the secure network first go the HA and then to the VPN 
gateway that is configured to forward the packets through the firewall to the secure network. 

9. (Original) The system of Claim 8, wherein packets from the second router to the 
firewall having a source address in a known range are dropped by the firewall. 

10. (Previously Presented) The system according to claim 1, wherein a router is 
directly connected to a firewall and the VPN gateway and the HA connect to a different interface 
of the router and the firewall. 

11. (Original) The system of Claim 10, wherein the firewall is configured such that it 
considers the interface with which it connects to the VPN gateway as an internal interface and 
packets with a source address that are outside of a known address range received on the internal 
interface are dropped, and packets with a source address that are within the known address range 
that are received by the firewall on an external interface are dropped. 

12. (Currently Amended) The system of Claim 11, wherein VPN encapsulated 
packets are forwarded to the VPN gateway and when a S e curity Assooiation security association 



(SA) exists, the packet is decrypted and forwarded to the firewall on the internal interface and 
when a SA does not exist the packet is dropped. 

13. (Currently Amended) The system of Claim 12, wherein Mobile mobile IP packets 
and VPN encapsulated packets first reach the Hom e Agen t home agent which are forwarded to 
the VPN gateway and then to the secure network through the firewall's internal interface. 

14. (Previously Presented) The system of Claim 1, further comprising a firewall 
coupled to the secure network and the VPN gateway; and a router includes an access control list 
used to drop packets that have a source address that belong to a known address range. 

15. (Currently Amended) A method for secure communication between a mobile 
node associated with a home network in a secure network and a correspondent node^—^ 
comprising: 

establishing a Proxy Home Agont proxv home agent (PHA) located within the secure 
network to monitor data directed to the mobile node; 

establishing a Hom e Agen th ome agent configured to create only one security association 
with the mobile node and only one mobility binding with the mobile node and to notify the PHA 
of the mobile node; 

collecting data directed to the mobile node; 

packaging the collected data in a virtual private network ( VPN) secure tunnel to an 
internal address of the mobile node to create VPN packaged data; and 



tunneling the VPN packaged data to a current address of the mobile node. 

16. (Original) The method of claim 15, wherein the VPN secure tunnel follows the DP 
security protocol. 

17. (Original) The method of claim 15, wherein the tunneling of the VPN packaged 
data to the external mobile node occurs according to the IP mobility protocol. 

18. (Currently Amended) The method of Claim 15, further comprising: packaging the 
collected data in an IP-in-IP tunnel and sending it to a VPN device for VPN encryption and 
tunneling the VPN packaged data to the current address of the Mobil e mobile n ode. 

19. (Currently Amended) A system for secure mobile connectivity that implements 
Mobil e m obile IP Home Agon t home agent functionality via distributed components; comprising: 

means for establishing a Proxy Hom e Agen t proxv home agent (PHA) located within a 
secure network to monitor data directed to a mobile node; 

means for establishing a Homo Agont home agent configured to create only one security 
association with the mobile node and only one mobility binding with the mobile node and to 
notify the PHA of the mobile node; 

means for collecting data directed to the mobile node; 

means for packaging the collected data in a virtual private network ( VPN) secure tunnel 
to an internal address of the mobile node to create VPN packaged data; 
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means for tunneling the VPN packaged data to a current address of the mobile node; 

means for the Home Ag e n th ome agent to communicate to the PHA that the mobile node 
has moved outside its home network; 

means for the Hom e Ag e n t home agent to communicate to the PHA that the mobile node 
has come back to its home network; and 

means for enabling the PHA to create and remove a proxy address resolution protocol 
(ARP) entry for a permanent address associated with the mobile node. 

20. (Currently Amended) A computer program embodied on a computer readable 
medium, the computer program being configured to control a processor to perform comput e r 
s oftwar e product compri s ing instructions that cause an e l e ctronic devic e to p e rform^ 

establishing a proxy home agent (PHA) located within a secure network to monitor data 
directed to a mobile node: 

establishing a home agent configured to create only one security association with the 
mobile node and only one mobility binding with the mobile node and to notify the PHA of the 
mobile node: 

collecting data directed to the mobile node: 

packaging the collected data in a virtual private network (VPN) secure tunnel to an 
internal address of the mobile node to create VPN packaged data: and 

tunneling the VPN packaged data to a current address of the mobile node t h e actions of 
Claim 15 . 
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